{"id":"CVE-2026-32730","summary":"ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware","details":"ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.","aliases":["GHSA-v9xm-ffx2-7h35"],"modified":"2026-03-20T03:04:59.230767Z","published":"2026-03-18T22:00:14.612Z","database_specific":{"cwe_ids":["CWE-287","CWE-305"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32730.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32730.json"},{"type":"ADVISORY","url":"https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32730"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apostrophecms/apostrophe","events":[{"introduced":"0"},{"fixed":"7e607c9fe1605764144bdc9f529961d5738e7ea2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.28.0"}]}}],"versions":["0.1.1","0.1.10","0.1.11","0.1.12","0.1.13","0.1.14","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.2.0","0.3.0","0.3.1","0.3.10","0.3.11","0.3.12","0.3.13","0.3.14","0.3.15","0.3.16","0.3.18","0.3.19","0.3.2","0.3.3","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9","0.4.1","0.4.10","0.4.100","0.4.101","0.4.102","0.4.103","0.4.104","0.4.105","0.4.106","0.4.107","0.4.108","0.4.109","0.4.11","0.4.110","0.4.111","0.4.112","0.4.113","0.4.114","0.4.115","0.4.116","0.4.117","0.4.118","0.4.119","0.4.12","0.4.120","0.4.121","0.4.122","0.4.123","0.4.124","0.4.125","0.4.126","0.4.127","0.4.128","0.4.129","0.4.13","0.4.130","0.4.131","0.4.132","0.4.133","0.4.134","0.4.135","0.4.136","0.4.137","0.4.138","0.4.139","0.4.14","0.4.140","0.4.141","0.4.142","0.4.143","0.4.144","0.4.145","0.4.146","0.4.147","0.4.148","0.4.149","0.4.15","0.4.150","0.4.151","0.4.152","0.4.153","0.4.154","0.4.155","0.4.156","0.4.157","0.4.158","0.4.159","0.4.16","0.4.160","0.4.161","0.4.162","0.4.163","0.4.164","0.4.165","0.4.166","0.4.167","0.4.168","0.4.169","0.4.17","0.4.170","0.4.171","0.4.172","0.4.173","0.4.174","0.4.175","0.4.176","0.4.177","0.4.178","0.4.179","0.4.18","0.4.180","0.4.181","0.4.182","0.4.183","0.4.184","0.4.19","0.4.2","0.4.20","0.4.21","0.4.22","0.4.23","0.4.24","0.4.25","0.4.26","0.4.27","0.4.28","0.4.29","0.4.3","0.4.30","0.4.31","0.4.32","0.4.33","0.4.34","0.4.35","0.4.36","0.4.37","0.4.38","0.4.39","0.4.4","0.4.40","0.4.41","0.4.42","0.4.43","0.4.44","0.4.45","0.4.46","0.4.47","0.4.48","0.4.49","0.4.5","0.4.50","0.4.51","0.4.52","0.4.53","0.4.54","0.4.55","0.4.56","0.4.57","0.4.58","0.4.59","0.4.6","0.4.60","0.4.61","0.4.62","0.4.63","0.4.64","0.4.65","0.4.66","0.4.67","0.4.68","0.4.69","0.4.7","0.4.70","0.4.71","0.4.72","0.4.73","0.4.74","0.4.75","0.4.76","0.4.77","0.4.78","0.4.79","0.4.8","0.4.80","0.4.81","0.4.82","0.4.83","0.4.84","0.4.85","0.4.86","0.4.87","0.4.88","0.4.89","0.4.9","0.4.90","0.4.91","0.4.92","0.4.93","0.4.94","0.4.95","0.4.96","0.4.97","0.4.98","0.4.99","0.5.0","0.5.1","0.5.10","0.5.100","0.5.101","0.5.102","0.5.103","0.5.104","0.5.105","0.5.106","0.5.107","0.5.108","0.5.109","0.5.11","0.5.110","0.5.111","0.5.112","0.5.113","0.5.114","0.5.115","0.5.116","0.5.117","0.5.118","0.5.119","0.5.12","0.5.120","0.5.121","0.5.122","0.5.123","0.5.124","0.5.125","0.5.126","0.5.127","0.5.128","0.5.129","0.5.13","0.5.130","0.5.131","0.5.132","0.5.133","0.5.134","0.5.135","0.5.136","0.5.137","0.5.138","0.5.139","0.5.14","0.5.140","0.5.141","0.5.142","0.5.143","0.5.144","0.5.145","0.5.146","0.5.147","0.5.148","0.5.149","0.5.15","0.5.150","0.5.151","0.5.152","0.5.153","0.5.154","0.5.155","0.5.156","0.5.157","0.5.158","0.5.159","0.5.16","0.5.160","0.5.161","0.5.162","0.5.163","0.5.164","0.5.165","0.5.166","0.5.167","0.5.168","0.5.169","0.5.17","0.5.170","0.5.171","0.5.172","0.5.173","0.5.174","0.5.175","0.5.176","0.5.177","0.5.178","0.5.179","0.5.18","0.5.180","0.5.181","0.5.182","0.5.183","0.5.184","0.5.185","0.5.186","0.5.187","0.5.188","0.5.189","0.5.19","0.5.190","0.5.191","0.5.192","0.5.193","0.5.194","0.5.195","0.5.196","0.5.197","0.5.198","0.5.199","0.5.2","0.5.20","0.5.200","0.5.201","0.5.202","0.5.203","0.5.204","0.5.205","0.5.206","0.5.207","0.5.208","0.5.209","0.5.21","0.5.210","0.5.211","0.5.212","0.5.213","0.5.214","0.5.215","0.5.216","0.5.217","0.5.218","0.5.219","0.5.22","0.5.220","0.5.221","0.5.222","0.5.223","0.5.224","0.5.225","0.5.226","0.5.227","0.5.228","0.5.229","0.5.23","0.5.230","0.5.231","0.5.232","0.5.233","0.5.234","0.5.235","0.5.236","0.5.237","0.5.238","0.5.239","0.5.24","0.5.240","0.5.241","0.5.242","0.5.243","0.5.244","0.5.245","0.5.246","0.5.247","0.5.248","0.5.249","0.5.25","0.5.250","0.5.251","0.5.252","0.5.253","0.5.254","0.5.255","0.5.256","0.5.257","0.5.258","0.5.259","0.5.26","0.5.260","0.5.261","0.5.262","0.5.263","0.5.264","0.5.265","0.5.266","0.5.267","0.5.268","0.5.269","0.5.27","0.5.270","0.5.271","0.5.272","0.5.273","0.5.274","0.5.275","0.5.276","0.5.277","0.5.278","0.5.279","0.5.28","0.5.280","0.5.281","0.5.282","0.5.283","0.5.284","0.5.285","0.5.286","0.5.287","0.5.288","0.5.289","0.5.29","0.5.290","0.5.291","0.5.292","0.5.293","0.5.294","0.5.295","0.5.296","0.5.297","0.5.298","0.5.299","0.5.3","0.5.30","0.5.300","0.5.301","0.5.302","0.5.303","0.5.304","0.5.305","0.5.306","0.5.307","0.5.308","0.5.309","0.5.31","0.5.310","0.5.311","0.5.312","0.5.313","0.5.314","0.5.315","0.5.316","0.5.317","0.5.318","0.5.319","0.5.32","0.5.320","0.5.321","0.5.322","0.5.323","0.5.324","0.5.325","0.5.326","0.5.327","0.5.328","0.5.329","0.5.33","0.5.330","0.5.331","0.5.332","0.5.333","0.5.334","0.5.335","0.5.336","0.5.337","0.5.338","0.5.339","0.5.34","0.5.340","0.5.341","0.5.342","0.5.343","0.5.344","0.5.345","0.5.346","0.5.347","0.5.348","0.5.349","0.5.35","0.5.350","0.5.351","0.5.352","0.5.353","0.5.354","0.5.355","0.5.356","0.5.357","0.5.358","0.5.359","0.5.36","0.5.360","0.5.361","0.5.362","0.5.363","0.5.364","0.5.365","0.5.366","0.5.367","0.5.368","0.5.369","0.5.37","0.5.370","0.5.371","0.5.372","0.5.373","0.5.374","0.5.375","0.5.376","0.5.377","0.5.378","0.5.379","0.5.38","0.5.380","0.5.381","0.5.382","0.5.383","0.5.384","0.5.39","0.5.4","0.5.40","0.5.41","0.5.42","0.5.43","0.5.44","0.5.45","0.5.46","0.5.47","0.5.48","0.5.49","0.5.5","0.5.50","0.5.51","0.5.52","0.5.53","0.5.54","0.5.55","0.5.56","0.5.57","0.5.58","0.5.59","0.5.6","0.5.60","0.5.61","0.5.62","0.5.63","0.5.64","0.5.65","0.5.66","0.5.67","0.5.68","0.5.69","0.5.7","0.5.70","0.5.71","0.5.72","0.5.73","0.5.74","0.5.75","0.5.76","0.5.77","0.5.78","0.5.79","0.5.8","0.5.80","0.5.81","0.5.82","0.5.83","0.5.84","0.5.85","0.5.86","0.5.87","0.5.88","0.5.89","0.5.9","0.5.90","0.5.91","0.5.92","0.5.93","0.5.94","0.5.95","0.5.96","0.5.97","0.5.98","0.5.99","0.6.0","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.10.0","2.10.1","2.10.2","2.10.3","2.11.0","2.11.1","2.12.0","2.13.0","2.13.1","2.13.2","2.14.0","2.14.1","2.14.2","2.15.0","2.15.1","2.15.2","2.16.0","2.16.1","2.17.0","2.17.1","2.17.2","2.18.0","2.18.1","2.18.2","2.19.0","2.19.1","2.2.0","2.2.1","2.2.2","2.20.0","2.20.1","2.20.2","2.20.3","2.21.0","2.22.0","2.23.0","2.23.1","2.23.2","2.24.0","2.25.0","2.25.1","2.26.0","2.26.1","2.27.0","2.27.1","2.28.0","2.29.0","2.29.1","2.29.2","2.3.0","2.3.1","2.3.2","2.30.0","2.31.0","2.31.1","2.32.0","2.33.0","2.33.1","2.34.0","2.34.1","2.34.2","2.34.3","2.35.0","2.35.1","2.36.0","2.36.1","2.36.2","2.36.3","2.36.4","2.37.0","2.37.1","2.37.2","2.38.0","2.39.0","2.39.1","2.39.2","2.4.0","2.40.0","2.41.0","2.42.0","2.42.1","2.43.0","2.44.0","2.45.0","2.46.0","2.46.1","2.47.0","2.47.1","2.48.0","2.49.0","2.5.0","2.5.1","2.5.2","2.50.0","2.51.0","2.51.1","2.52.0","2.53.0","2.54.0","2.54.1","2.54.2","2.54.3","2.55.0","2.55.1","2.55.2","2.56.0","2.57.0","2.58.0","2.59.0","2.59.1","2.6.0","2.6.1","2.6.2","2.60.0","2.60.1","2.60.2","2.60.3","2.60.4","2.61.0","2.62.0","2.63.0","2.64.0","2.64.1","2.65.0","2.66.0","2.67.0","2.7.0","2.8.0","2.9.0","2.9.1","2.9.2","3.0.0","3.0.0-alpha.1","3.0.0-alpha.2","3.0.0-alpha.3","3.0.0-alpha.4","3.0.0-alpha.4.1","3.0.0-alpha.4.2","3.0.0-alpha.5","3.0.0-alpha.6","3.0.0-alpha.6.1","3.0.0-alpha.7","3.0.0-beta.1","3.0.0-beta.1.1","3.0.0-beta.2","3.0.0-beta.3","3.0.1","3.1.0","3.1.1","3.1.2","3.1.3","3.10.0","3.11.0","3.12.0","3.13.0","3.14.0","3.14.1","3.14.2","3.15.0","3.16.0","3.16.1","3.17.0","3.18.0","3.18.1","3.19.0","3.2.0","3.20.0","3.20.1","3.21.0","3.21.1","3.22.0","3.22.1","3.23.0","3.24.0","3.25.0","3.26.0","3.26.1","3.27.0","3.28.0","3.28.1","3.29.0","3.29.1","3.3.0","3.3.1","3.30.0","3.31.0","3.32.0","3.33.0","3.34.0","3.35.0","3.36.0","3.37.0","3.38.0","3.38.1","3.39.0","3.39.1","3.39.2","3.4.0","3.4.1","3.40.0","3.40.0-alpha","3.40.1","3.41.0","3.41.1","3.42.0","3.43.0","3.44.0","3.45.0","3.45.1","3.46.0","3.47.0","3.48.0","3.49.0","3.5.0","3.50.0","3.51.0","3.51.1","3.52.0","3.53.0","3.54.0","3.55.0","3.55.1","3.56.0","3.57.0","3.58.0","3.58.1","3.59.0","3.59.1","3.6.0","3.60.0","3.60.1","3.61.0","3.61.1","3.62.0","3.63.1","3.63.2","3.7.0","3.8.0","3.8.1","3.9.0","4.0.0","4.1.0","4.1.1","4.10.0","4.11.0","4.11.2","4.12.0","4.13.0","4.14.0","4.15.0","4.16.0","4.17.0","4.17.1","4.18.0","4.19.0","4.2.0","4.20.0","4.21.0","4.22.0","4.23.0","4.24.0","4.3.0","4.3.1","4.3.2","4.4.0","4.4.1","4.4.2","4.4.3","4.5.0","4.5.2","4.5.3","4.6.0","4.7.0","4.8.0","4.9.0","@apostrophecms/ai-helper@1.0.0-beta.11","@apostrophecms/apostrophe-astro@1.8.0","@apostrophecms/apostrophe-astro@1.9.0","@apostrophecms/cli@3.6.0","@apostrophecms/form@1.5.3","@apostrophecms/import-export@3.5.1","@apostrophecms/import-export@3.5.2","@apostrophecms/login-totp@1.3.3","@apostrophecms/openapi-generator@1.0.0","@apostrophecms/seo@1.4.0","apostrophe@4.25.0","apostrophe@4.26.0","apostrophecms-openapi@1.1.0","postcss-viewport-to-container-toggle@2.2.0","sanitize-html@2.17.1","v0.4.68"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-32730.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}